Microsoft implements compulsory multi-step verification for the Azure dashboard.
In a move to enhance security, Microsoft has announced a transition towards mandatory Multi-Factor Authentication (MFA) for various services and applications under its umbrella. The transition will occur in two phases, starting from October 2024.
Phase 1: October 2024
From October 2024, accounts will be required to use MFA to log into the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center when performing Create, Read, Update, or Delete (CRUD) operations. The Microsoft 365 admin center will follow suit in February 2025.
Companies still using user-based service accounts in Microsoft Entra ID are advised to migrate them to cloud-based workload identities, such as managed identities and service principals, as these are unaffected by both phases of MFA enforcement.
Emergency Access Accounts
Emergency access accounts must also use MFA upon enforcement. For added security, Microsoft recommends updating these accounts to use Passkeys (FIDO2) or configuring certificate-based authentication for MFA. Both methods meet MFA requirements.
User Identities and Automations
User identities are not recommended for automations, such as scripts or other automated tasks. These user identities must log in with MFA after enforcement begins if they are used to log in as a service account for such tasks.
ROPC-Based APIs
The OAuth 2.0 Resource Owner Password Credentials (ROPC) token grant flow is not compatible with MFA in the Microsoft Intune admin center. ROPC-based APIs used in applications will throw exceptions after MFA is enabled in your Microsoft Entra tenant. For more information on migrating ROPC-based APIs in Microsoft Authentication Libraries (MSAL), see Migrating from ROPC.
Exceptions and Further Information
Exceptions to the MFA requirement include organizations already enforcing MFA or using secure methods like passwordless login or Passkeys (FIDO2). A table outlining the affected applications, app IDs, and URLs is provided for the Azure portal, Microsoft Entra admin center, Microsoft Intune admin center, Azure CLI, Azure PowerShell, Azure mobile app, Infrastructure as Code (IaC) tools, REST API endpoints, and Azure SDK.
Language-specific MSAL guides can be found on the provided tabs. It's worth noting that MFA can prevent over 99% of account attacks, according to Microsoft's own research.
Phase 2: October 1, 2025
Starting October 1, 2025, MFA will also be required for logging into Azure CLI, Azure PowerShell, Azure Mobile App, IaC tools, and REST API endpoints - but only for create, update, or delete operations. Read operations will still be possible without MFA.
Administrators are advised to update their clients to Azure CLI version 2.76 and Azure PowerShell version 14.3 or later by this time.
In conclusion, the transition to MFA is a significant step towards enhancing security across Microsoft services. Users and administrators are encouraged to prepare for these changes and migrate their service accounts and applications accordingly. For more information, visit the Microsoft documentation provided.
